Hi Nate,
On Mon, Mar 7, 2011 at 10:49 AM, Nate Woodward
nate.woodw...@the-connection.com wrote:
Hi,
I'm trying to set up some decoders and rules for a piece of software we
use to authenticate Windows AD users to linux boxes. Here's the messages
I'm getting:
OSSEC HIDS Notification.
2011
I'm thinking of modifying the diff_cmd in syscheckd/seechanges.c and
agentlessd/agentlessd.c to be unified (-u). Any comments on whether or not
this is a good idea?
The only thing I can think of is it might make the diff results longer, unless
it is restricted to just the changed lines (no
Dan,
-Original Message-
From: dan (ddp) [mailto:ddp...@gmail.com]
Sent: Monday, March 07, 2011 10:35 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Decoder/Rules Problem
Hi Nate,
On Mon, Mar 7, 2011 at 10:49 AM, Nate Woodward
nate.woodw...@the-connection.com
I am pretty sure i can help u with this if u tell me what is the alert
u got...ALL i need is the one line alert...sorry i cant get it from ur
post
i think the line is Mar 4 12:47:55 l785 kernel: Kernel log daemon
terminating.
plz confirm
If the above is the alert--2 things
1. Since u are using
what log file did u open with vim...make sure that the log file u open
is included in the ossec.conf file
and just to make sure the rule works reduce the 6 hr syscheck
thing...get it to run right after u edit the file..
On Mar 6, 10:54 am, Tanishk Lakhaani tanishk2...@gmail.com wrote:
I think it
-Original Message-
From: gutsy gibbon [mailto:gibbongutsy...@gmail.com]
Sent: Monday, March 07, 2011 12:52 PM
To: ossec-list
Subject: [ossec-list] Re: Deletion of log data
what log file did u open with vim...make sure that the log
file u open is included in the ossec.conf
Yea I know what u mean.
But a couple of days ago i modified a file(I think it was the /etc/group
file)...syscheck fired a lvl 7 alert like 2 min later...it detected a
modified file...havent tried a reduced logfile yet.
also can u tell me what log file did u use?
On Mon, 2011-03-07 at 13:31
Hey i have ossec installed properly and working. Just wanted to try out
the ossec-wui and so i downloaded it and did w/e the lighttpd install
guide said and when i go to the wui webpage..I get a 404 NOT FOUND
error.
please tell me what am i doing wrong.
i installed it under
Hi Gurtaj,
You don't include nearly enough information to know why this isn't working.
We don't know your lighttpd configuration.
We don't know what you really did.
We don't know lighttpd's error message.
We don't know why you want to use the wui (it's old and not maintained).
You can start
Hmm ok...so wait i can guarantee any tampering gets detected as the
md5sum and sha1sum changes...BUT its not detected in real time.
I'll look into this tomorrow if u dont mind. I have a couple of issues
with the WUI---
FYI im Gurtaj
xD
On Mar 7, 2:48 pm, Gurtaj Singh gurtaj.si...@esentire.com
Hi Gurtaj,
-Original Message-
From: Gurtaj Singh [mailto:gurtaj.si...@esentire.com]
Sent: Monday, March 07, 2011 1:49 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: Deletion of log data
Yea I know what u mean.
But a couple of days ago i modified a file(I think
Ok ill give u the info u need(to the best of my potential)
BUT i can guarantee lighttpd and PHP works...(coz i can get the default
page on my IP)
permissions is a good point..let me get that done.
and as to why i want to use it --REASON is my employer wants a GUI :(
what i really did is as per
Does OSSEC pre-decoding provide a way to glean the log filename causing
an alert ?
If not, can this be done using a custom-defined decoder ?
--
Shaikat Majumdar
Millburn Ridgefield Corporation
The user/group thing is explained in step 9 in the document you linked
to. Instead of the www user, you need to add www-data (make sure
www-data exists as well). From your config:
server.username= www-data
On Mon, Mar 7, 2011 at 3:15 PM, Gurtaj Singh gurtaj.si...@esentire.com wrote:
You can try location. I can't find any real documentation on it at
the moment, and I don't think I've done any real testing with it.
On Mon, Mar 7, 2011 at 3:49 PM, Shaikat Majumdar
smajum...@millburncorp.com wrote:
Does OSSEC pre-decoding provide a way to glean the log filename causing an
wow i hate replying to emails like this ...i saw ur name and replied to
a wrong post
!!!
PFFTTT
On Mon, 2011-03-07 at 15:58 -0500, dan (ddp) wrote:
You can try location. I can't find any real documentation on it at
the moment, and I don't think I've done any real testing with it.
On Mon,
k thanks for the reply...ill try that..if it doesnt work..ill just quote
u and tell my employer how unsupported the web ui is!
Hopefully , he will get over it
xD
On Mon, 2011-03-07 at 15:58 -0500, dan (ddp) wrote:
You can try location. I can't find any real documentation on it at
the moment,
How would you go about testing this feature (location) ... with
ossec-logtest ?
The way I am setting this up is I using the location tag for
specifying the log file location in the /var/ossec/etc/shared/agent.conf
file.
In the alert log (this is based on a custom rule that I have defined) I
Ok, great. Yes, it is the Kernel log daemon terminating message:
_This is the alert in the alert.log:_
** Alert 1299259678.72480: mail - syslog,linuxkernel,system_shutdown,
2011 Mar 04 09:27:58 (pos-vm) 10.1.1.152-/var/log/messages
Rule: 5113 (level 7) - 'System is shutting down.'
Src IP:
I have a script that backs up my MySQL databases by flushing the
database, freezing the filesystem and then creating an LVM snapshot of
the volume the database is located on. This is then mounted and
archived with tar and gzip and then the snapshot is unmounted and
destroyed. When the snapshot is
That's odd. I've got a very similar rule setup and it works perfectly.
What is even stranger is that it passes the log test matching to the proper
rule. Have you checked that the spacing is 100% the same in your test that
you run against log test and that you built the rule on as it actually
21 matches
Mail list logo
